fix(bounties): strip per-request fields from fingerprint payloads

add_bounty dedups on (attacker_ip, bounty_type, full payload JSON). Three fingerprint-family bounties (http_useragent, ip_leak, http_quirks) were including method/path / header_count in their payloads — fields that vary per request — so a scanner hitting 100 paths produced 100 rows instead of 1, which is what was swelling AttackerDetail. Payloads now carry identity-only fields: - http_useragent: {fingerprint_type, value}. UA + path combinations no longer collide; one row per distinct User-Agent string. - ip_leak: {source_ip, real_ip_claim, source_header, headers_seen}. One row per distinct (proxy source, leaked IP, leaking header) triple; repeat hits with the same header on different paths dedup. - http_quirks: {fingerprint_type, order_hash, order, casing_hash, casing_category, stable_count, tool_guess}. No more header_count (included volatile headers; Cookie-presence variance broke dedup). Per-request context (path, method, etc.) was never load-bearing for analysts — the logs table already answers "when + where" at per-event resolution. The bounty table is for stable identity. UI: - FpHttpQuirks renderer drops the method/path footer line and the header_count/duplicates tags; shows stable_count instead. - LEAKED-IPs tooltip on AttackerDetail swaps "X on GET /path" for "Leaked via X; source 203.0.113.42" — same information, stable. Tests add a "payload stable across paths and methods" assertion on http_quirks — locks the contract so a future regression that sneaks a per-request field back in fails loudly. Existing duplicate bounty rows don't retroactively collapse. Dev: `decnet db-reset --i-know-what-im-doing drop-tables` and restart. Prod: one SQL pass to dedup by (attacker_ip, bounty_type, payload) — trivial but not automated.
2026-04-24 17:58:54 -04:00
parent dccb410bb3
commit 2c876b4d86
5 changed files with 54 additions and 39 deletions
--- a/decnet_web/src/components/AttackerDetail.tsx
+++ b/decnet_web/src/components/AttackerDetail.tsx
@@ -353,11 +353,8 @@ const FpHttpQuirks: React.FC<{ p: any }> = ({ p }) => {
        {p.casing_category && (
          <Tag>CASE · {String(p.casing_category).toUpperCase()}</Tag>
        )}
-        {typeof p.header_count === 'number' && (
-          <Tag>{p.header_count} HEADERS</Tag>
-        )}
-        {p.duplicates && (
-          <Tag color="var(--warn, #e0a040)">DUPLICATES</Tag>
+        {typeof p.stable_count === 'number' && (
+          <Tag>{p.stable_count} STABLE HEADERS</Tag>
        )}
      </div>
      {order.length > 0 && (
@@ -372,11 +369,6 @@ const FpHttpQuirks: React.FC<{ p: any }> = ({ p }) => {
          </div>
        </details>
      )}
-      {(p.method || p.path) && (
-        <div className="dim" style={{ fontSize: '0.7rem', fontFamily: 'monospace', marginTop: '2px' }}>
-          {p.method} {p.path}
-        </div>
-      )}
    </div>
  );
 };
@@ -1101,9 +1093,7 @@ const AttackerDetail: React.FC = () => {
                  (l) => l.payload?.real_ip_claim === ip,
                );
                const tooltip = latest
-                  ? `${latest.payload.source_header ?? '?'} on ${
-                      latest.payload.method ?? '?'
-                    } ${latest.payload.path ?? '/'}`
+                  ? `Leaked via ${latest.payload.source_header ?? '?'}; source ${latest.payload.source_ip ?? '?'}`
                  : '';
                return (
                  <span